Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

PECSM-TEAM 2.2.2 has a file upload vulnerability in /Public/?g=Team&m=Setting&a=upgrade #2

Closed
snappyJack opened this issue Aug 30, 2018 · 2 comments

Comments

@snappyJack
Copy link

This page let user upgrade the PESCMS system manually.
default

Follow the mtUpgrade funtction,the upload file extension must be “zip”
default

and follow the unzip function
default

Follow the simulateInstall function and install function,we can see the file decompression in root directory
default
default

so,we can create a evil.php
default

and compression it as evil.zip,and upload the evil.zip,
default

at last ,the system decompress evil.zip and evil.php in root directory.
default

@lazyphp
Copy link
Owner

lazyphp commented Aug 31, 2018

英语水平有限,这里用中文吧:
因为考虑到程序都是内网为主,所以手动更新的程序并没有与官方进行 哈希验证。所以确实会存在一个提权的风险。目前这些各项功能还在调优中,不久将来的版本更新功能将需要与官方的更新包进行哈希验证,匹配正确才会执行更新。

@lazyphp
Copy link
Owner

lazyphp commented Apr 10, 2019

即将发布的新版已经接近此问题。https://github.com/lazyphp/PESCMS-TEAM/tree/dev-2.3.0

@lazyphp lazyphp closed this as completed Apr 10, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants